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Mefliod and Apparatus for Computing a Shared Secret Key 



This application claims the benefit of U.S. Provisional Application 60/343,224, filed 
December 31, 2001, the contents of which are incoiporated herein by reference. 

5 

BACKGROUND OF THE INVENTION 



1. FIELD OF THE INVENTION 

The present invention relates to cryptographic systems* and more particularly to a method 
1 0 for computing a shared secret key. 

i 2. DESCRIPTION OF THE PRIOR ART 

Public key cryptography is used to provide security for information transmitted over 
p j public networks. Numerous cryptographic protocols are available to provide security, integrity 
tf, and authentication. Their security is based on the apparent intractability of certain mathematical 
^ problems, such as integer factorization and the discrete logarithm problem, Public key schemes 
sometimes require more computing power than is genially available in constrained 
environments. Devices such as cellular phones, pagers, and smart cards usually have limited 
E3 computing power and battery power available- In such environments, elliptic curve cryptography 
20 is particularly appealing since it provides security with parameters having a smaller number of 
bits. Computations are correspondingly faster because of the smaller amount of data that must be 
manipulated. In most cryptographic systems, parameters with a larger number of bits provide 
greater security at tiiie cost of speed. Accordingly, there is a continual need to optimize 
cryptographic operations to nm as quickly as possible, to make higher security implementations 
25 of the protocols feasible. 

Digital signatures are a class of cryptographic protocols used to provide auflienticatioiL 
As in all public key systems, a sender has a private key and a public key. The public key is made 
available and authenticated to other users through a certificate or a directory. The sender signs a 
message using their private key, and a recipient is able to verify the signature by using the 
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authentic public key. The mathematics of the scheme provides assurance that only the owner of 
the private key could generate a signature that will verify using the public key. 

It is often of interest to share a key between two users of a public key cryptos>^em. This 
key can be used to secure future communications using a symmetric key cryptosystem. The 
5 MQV (Menezes, Qu, Vanstone) protocol provides a method of sharing a key between two users 
of a public key cryptosystem that provides authentication of the key. This protocol is described 
in US Pat No. 5,761,305, US Pat No. 5,889,865, US Pat. No. 5,896,455, and US Pat No, 
6,122,736. 

The following notation is used for the MQV protocol in a group G with a generator g 





Term 


Meaning 


f1 


X 


Alice's ephemeral private key 




y 


Bob's ephemeral private key 




Ra 


Alice's ephemeral public key g^ 


: 

5 'sr 
'f'~ 


Rb 


Bob's ephemeral public key 


yj 


a 


Alice's long-tenn private key 




b 


Bob's long-tenn private key 


sa ; 
5 ^ 


Ya 


Alice's long-term public key g* 




Yb 


Bob's long-term public key g*' 




Sa 


An intermediate component of the key computed by Alice 




SB 


An inteimediate component of the key computed by Bob 









10 



An early version of the MQV protocol for sharing a key between a pair of correspondents 
Alice and Bob proceeds as follows in fte multiplicative group of a finite field having group 
order q, 

1 . Alice selects x at random from the interval 1 to g-l. 
15 2, Alice computes Ra = g^ and sends it to Bob. 

3. Bob selects^ at random from the interval 1 to q-l. 

4. Bob computes Rfi = g^ and sends it to Alice, 
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5. Alice computes 5^ = (x + aR^ )mod q and the shared secret K = [r^ {Y^ J' , 

6. Bobcomputes ={y^bRg)modg and the shared secret K = (Rj^{Yj^'^y . 

The computationally intense parts of the key agreement protocol are the exponentiations 
that must be performed to detennine K, 
5 When the MQV protocol was standardized in the ANSI X9.62 and IEEE P1363 

standards, a truncation operation was introduced to make the protocol more efficient. The MQV 
protocol as standardized uses a truncation operation to reduce the bit length of an exponent. The 

truncation operation is denoted by X and is defined as = (aT mod 2^^)+ 2^ • The protocol then 

proceeds as follows: 
^ 1, Alice selects X at random from the interval 1 to ^r-L 

u 2. Alice computes Ra = and sends it to Bob, 

3, Bob selects y at random from the interval 1 to 1 . 
W 4, Bob computes Rfi-g^ and sends it to Alice, 

5. Alice computes ={x-t-ai?^)mod^f and the shared secret K = [RsiY^Y' ^ . 

4 6* Bobcomputes s^^{^+bR^)modq and the shared secret iC = (i?^ 

]Z The use of the truncation operation ^eeds up computations since the exponent Is shorter. 

O However, this means that only half of the bits of the truncated values are used. It is believed that 
this truncation does not affect the security of the protocol, however it is generally preferable in 
the design of cryptographic methods to use as many bits of the random values and private values 
20 as possible. 

A version of the MQV protocol uses an elliptic curve group as the underlying group G, 
The group generator is normaUy written as a point P, and additive notation is usually used 
instead of multiplication notation, in the Elliptic Curve MQV protocol, Ihe value Ra is then 
equal to xP, and the value Rg is equal to yP. Each value Ra, Rb is thus a point on the elliptic 
25 curve. Since an elliptic curve point consists of two finite field elements, it is necessary to define 
a fimction n to convert an elliptic curve pomt into an integer. One typical fimction that is used is 
to interpret the bit stmg representing the first coordinate of the elliptic curve point as a bit string 
representing an integer* The component sa is equal to 5^ = (x + fl/r(j?^ ))mod^ and the 
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component se is equal to s^^iy-^ b7c{R^ ))mod q . The ^ared key may then be expressed as 
/T = 5^ (R^ + 7i:{Rg )Y^), The shared key K is an elliptic curve point, and usually it will be 
converted into anodier fonnat for use in another protocol. The conversion often involves 
int^reting the bit string r^res^ting K as an integer. The coirespondtng two point 
5 multiplications are therefore necessary to compute the shared key and are also computationally 
intensive. 

Accordingly, there is a need for a method of computing a shared key using the M QV 
protocols that obviates or mitigates at least some of the above disadvantages. 

10 SUMMARY OF THE INVENTION 

g3 In general terms, it has been recognized that the computation of the MQV shared key 

may be optimized by using simultaneous multiplication techniques. 

« t 

C3 In accordance with one aspect of the present invention, there is provided a method of 

ll generating a key by a first coirespondent The key is computable by a second correspondent The 

1 ^ method comprises the st^ of: 

Q a) making available to the second correspondent a first short temi public key; 

Li;- 

T: b) obtaining a second short temi public key from the second correspondent; 
^4 c) computing a first exponent dcdved from the first short term private key, the first short 
fi j term public key, and the first long term private key; 

20 d) computing a second exponent derived &om the first short term private key, the first long 
term public key, Ihe second short term public key and the first long term private key; 
computing a simultaneous exponentiation of the first exponent with the second short term 
public key and die second exponent with the second long temi public key. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become more 
apparent in the following detailed description in which reference is made to the appended 
drawings wherein: 

Figure I is a schematic representation of a cryptographic system. 
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Figure 2 is a flowdbart showing a method performed by the correspondents in Figure 1 . 
Figure 3 i$ a flowchart showing a method used by the method of Figure 2. 
Figure 4 i$ a flowchart showing another embodiment of the mediod of Figure 2. 
Figure 5 is a flowchart showing yet another embodiment of the method of Figure 2. 
5 Figure 6 is a flowchart showing an alternative method of performing the method of 

Figure 3- 

Figure 7 is a flowchart showing another embodiment of the method of Figure S. 
Figure 8 is a flowchart showing a method used in the mediod of Figure 7, 

10 

^ DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Q Referring to Figure 1 , a cryptographic system is shown generally by the numeral 10. A 

^ pair of correspondents 12, 14, referred to as Alice and Bob, communicate over a network 16. 
P J Each correspondent has an arithmetic logic unit (ALU) 1 8, 20. The ALU can be a general- 
1 1 1 purpose computer^ with a cryptographic unit, which implements cryptographic protocols from 
instructions provided by software. The software may be provided on a data carrier or in memory. 
1=^ Eadi conrespondent has a long-term private key a» b and a corresponding long-temi public key 
:J Ya» Yb* Each correspondent has access to an authentic copy of the other correspondent's long- 
|3 term piiblic key. 

20 It is desired to share a key between the correspondents using the MQV protocol. It is 

recognized that die MQV equations can be reorganized to provide efficient computations without 
necessarily using the truncation operation. The reorganization proceeds as follows. 

The foimula K = [r^ {Y^ Y' Y that is used to determine the key can be rearranged as 

= Rs^'Y^ ^ ' , using the notation above. This rearrangement allows the key to be 
25 computed by using a technique known as simultaneous multiple exponentiation, which uses only 
one set of squares. 

To compute the multiple K = Rs^%'''^'' , two tables of small exponents of JR^ and Y^ 
respectively of a predetermined width are first established. The scalars and s^R^ are then 
examined using windows of the predetermined width. The multiples of R^ and Y^ 
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corFesponding to each window are Fctiieved fiom each respective table. The product of the table 
entries from the two windows is multiplied into an accumulator. The accumulator is then squared 
in accordance with the width of the window, and then the next window is examined. This process 
is repeated until each window has been examined, and therefore terminates with the accumulator 
5 holding the value of K, 

Referring to Figure 2, a method of computing a shared secret key is shown generally by 
the numeral 100. Alice selects an ephemeral private key x at random from the interval 1 to q-1 
(102). Alice computes the correspondmg ephemeral public key and sends it to Bob (104). 
Similarly, Bob selects an ephemeral private key y at random from fee interval 1 to q-1 (106). 
1 0 Bob computes fho corresponding ephemeral public key g^ and sends it to Alice (108). Alice 

p computes Sj^^{x-h oR^ )modq and the shared secret K = Rg"" Y^'^^^ (1 10) using simultaneous 

y^i multiple exponentiation, as described below. Bob computes 5^ ^ (v + bR^ )mo6.q and the shared 

f J secret K - R^'^Yg^^^ (1 1 2) using simultaneous multiple exponentiation^ 
y I Referring to Figure 3, a method of computing a simultaneous multiple exponentiation is 

15^ shown generally by the numeral 300, A window width of a predetermined number of bits w is 
U first established (302). Then» a table of small exponents a of Rb is estabUshed (304) and a table 

of small exponents p of Yb is established (306). The table entries consist of a column of possible 
H bit combinations (e.g, a = IOOI2), and a column of corresponding exponentiations (e.g, i?^*' )- 
Then, the scalars and sji^ are examined using wtudows of the window width w (308), The 
20 powers of R^ and Yg corresponding to each window are retrieved from each respective table 
(310). The product of the table entries from the two windows is multiplied into an accumulator 
(312). The accumulator is then squared w times in accordance with the width w of the window 
(3 14), and then the next window is examined (316). The scalars are repeatedly examined and 
table entries multiplied into the accumulator and the acciunulator squared w times for each 
25 repetition as described above (3 1 8) until the shared secret K is computed (320). 

It will be noted that in this embodiment one simultaneous multiple exponentiation is used 
instead of two separate exponentiations. Accordingly, the number of squaring operations 
required corresponds to the number required for one exponentiation instead of that required for 
two separate exponentiations. It will be recognized that using the method of this embodiment, 
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mmcating the first exponent in an attempt to save squarings is not effective, since these squaring 
can be shared with the second multiplication. The truncation then saves only multiplications, not 
squarings, when applied to this embodiment since this embodiment uses simultaneous multiple 
exponentiation* 

5 Referring to Figure 4, an alternate embodiment is shown generally by the numeral 200. In 

this embodiment, Alice uses the unproved method of computing the shared key, while Bob can 
compute the shared key by any method Alice selects (202) x at random from the interval 1 to q- 
1. Then, Alice computes (204) ^ and makes it available to Bob (206). Alice then obtains (208) 
g^ from Bob. Alice computes (210) 5^ = (x oRj^ )modq and tiien computes (212) the shared 

10 secret K = Rg'^Y/'*^^ using simultaneous multiple exponentiation. 
Q Referring to Figure S, an alternate embodiment is shown generally by the numeral 500. 

m In this embodiment the correspondents of Figure 2 are shown carrying out the method in 
^ parallel. Alice selects an ephemeral private key x at random from flie interval 1 to q-1 (502), 
U Bob selects an ephemeral private key y at random from the interval 1 to q-1 (106). Alice 
1 1° computes tiie q)hemeral public key g* corresponding to the ephemeral private key x (504), 
G Similarly, Bob computes his qphemeral public key (514). Alice sends to Bob and Bob 
f!i sends g'' to Alice. After Alice receives Bob's ephemeral public key, she computes sa = (x+aR/O 
g mod q (506). Then Alice computes the shared secret K as before (508). After Bob receives 
Alice's ephemeral public key, he computes $b as before (516), Th^ Bob conqoutes K as before 
20 (518). Thus, it will be understood that the order of the compu^ons is not critical and it is only 
necessary that a coirespondent have both its own private key and the other correspondent's, 
q)hanetal public key before computing s and K. 

Referring to Figure 6, an alternate method of computing a simultaneous multiple 
exponentiation is shown generally by the numeral 600. The exponent sa is shown stored in a 
25 register 602. The exponent SaRb is shown stored in a register 604, Each register has an 

associated pointer 603, 605. The pointers are aligned to designate coiresponding bits in each 
exponent. A pair of switehes 606, 608 are provided. Two multipliers 610, 612 are shown, 
although their ftmotionality could be perfinmed by one multiplier. An accumulator 614, a 
squaring operation 616, and a control 618 are provided. 
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In use^ the pointer 603 is an input to the switch 606 which controls multiplier 610 so that 
when the corresponding bit of Sa is set, the quantity Rb is multiplied into the accumulator 514. 
Similarly* the pointer 60S is an input to the switx^h 608 which operates the multiplier 612. The 
quantity Yb is multiplied into the accumulator 614 when the corresponding bit of register 604 is 
5 set. After considering each exponent, the accumulator is squared 616, and the control 61 8 
operates to set the pointers 603, 605 to the next bits of registers 602, 604. The process repeats 
until all the bits have been considered. In this way, the bits of the two exponents are considered 
simultaneously, and only one set of squares is perfomied 

The above methods can be implemented in any group wheie the discrete logarithm 
10 problem is believed to be intractable. One example of such a group is an elliptic curve group, 

where the method is very similar however, the additive notation is usually used instead of 
C3 multiplicative notation. In the elliptic curve setting, group multiplication corresponds to addition 
%1 of elliptic curve points, and group exponentiation corresponds to scalar multiplication. In this 
n J case, the tables will contain a cotumn possible bit combinations of the scalar (e,g. 1 OOh), and a 
lij column ofcorrespondingpomt multiplications (e.g. IOOI2P). 

Refenring therefore to Figure 7, the method of Figure 5 is shown in an elliptic curve 
H- setting by the numeral 700. The correspondents have common elliptic curve parameters 
Iq comprising an elliptic curve, a finite field, a base point P of order q, and a function % to convert 
elliptic curve points to integers. Each correspondent has a long term private key a, b and a 
20 corresponding long term public key Y^=aP,YB ^bP, Alice selects an ephemeral private key x 
at random ftom the interval 1 to q-1 (702), Bob selects an ephemeral private key y at random 
fiom the interval 1 to q-1 (712). Alice computes q>hemeral public xP corresponding to 
the ephemeral private key x (704). Similarly, Bob computes his ephemeral public key yP (714). 
Alice sends xP to Bob and Bob sends yP to Alice. Alter Alice receives Bob's ephemeral public 
25 key, she computes s^={x+ a7[{R^ ))modg (706). Then Alice computes the shared secret 

K = s^Ra+ s^3r{Rs (708) using simultaneous multiple scalar multiplication(Figure 8). After 
Bob receives Alice's ephemoal public key, he computes = (y + bjr{Rg ))mod g (,7l6i). Then 
Bob computes K = s^R^ + Sgff{R^ (718) using simultaneous multiple scalar multiplication 
(Figure 8), 



-8- 



JRN-29-2002 16:15 ORANGE & CHAR I 



416 601 8454 P. 15/23 



Refiling to Figure 8, a method of performing simultaneous multiple scalar 
multiplication used in this embodiment is shown generally by the numeral 800. A window width 
of a predetermined number of bits w is first established (802). Then, a table of small exponents a 
of Rb is established (804) and a table of small exponents p of Yb is established (806), The table 

5 entries consist of a column of possible bit combinations (e.g. a " 1 001 2), and a column of 
corresponding scalar multiples (e.g. lOOl^R^). Then, the scalars and are examined 

using windows of the window width >v (808). The scalar multiples of and corresponding 
to each window are retrieved from each respective table (810). The sum of the table entries from 
the two windows is added into an accumulator (812). The accumulator is then doubled w times in 
1 0 accordance with the width w of the wmdow (8 1 4), and then the next window is examined (8 1 6). 

2 The scalars are repeatedly examined and table entries added into the accumulator and the 

accumulator doubled w times for each repetition as described above (8 1 8) until the shared secret 

13 K is computed (820). 

Although the invention has been described with reference to certain specific 

P embodiments, various modifications thereof will be apparent to those skilled in the art without 

□ departing torn the spirit and scope of the invention as outlined in the claims appended hereto. 



